b'                         I\n\n\n\n\n                          t\n\n\n\n\n         INFORMATION ASSURANCE FOR THE DEFENSE\n             CIVILIAN PERSONNEL DATA SYSTEM -\n           WASHINGTON HEADQUARTERS SERVICES\n\n\n\nReport No. 98-143                         June 3, 1998\n\n\n\n\n              Office of the Inspector General\n                  Department of Defense\n\x0c     Additional Copies\n     To obtain additional copies of this audit report, contact the Secondary Reports\n     Disui&ution Unit of the Analysis, Planning, and Technical Support Directorate at\n     (703) 604-8937 (DSN 664-8937) or FAX (703) 604-8932 or visit the Inspector\n     General, DOD, Home Page at: WWW.DODIG.OSD.MIL.\n\n     Suggestions   for Future Audits\n\n     To suggest ideas for or to request future audits, contact the Planning and\n     Coordination Branch of the Analysis, Planning, and Technical Support\n     Directorate at (703) 604-8908 (DSN 6648908) or FAX (703) 604-8932. Ideas\n     and requests can also be mailed to:\n\n                         OAIG-AUD (ATTN: APTS Audit Suggestions)\n                         Inspector General, Department of Defense\n                         400 Army Navy Drive (Room 801)\n                         Arlington, Virginia 22202-2884\n\n     Defense Hotline\n     To report fraud, waste, or abuse, contact the Defense Hotline by calling\n     (800) 424-9098; by sending an electronic message to\n     Hotline@DODIG.OSD.MiL;        or by writing to the Defense Hotline, The\n     Pentagon, Washington, D .C. 20301-1900. The identity of each writer and caller\n     is fully protected.\n\n\n\n\nAcronyms\ncsu                      Customer Support Unit\nDCPDS                    Defense Civilian Personnel Data System\n                         Regional Service Center\nES                       Washington Headquarters Services\n\x0c                            INSPECTOR GENERAL\n                            DEPARTMENT OF DEFENSE\n                              400 ARMY NAW DRIVE\n                            ARLINGTON, VIRGINIA 22202\n\n\n\n\n                                                                            June 3, 1998\nMEMORANDUM\n_.___._ -_--.- ----   FOR\n                       --.--- DIRECTOR, ADMINISTRATION AND MANAGEMENT\n                             ASSL-[STANT\n                                    ___ SECRETARY OF THE AIR FORCE\n                                (FINAPKIAL MANAGEMENT AND COMPTROLLER)\nSUBJECT: Audit Report on Information Assurance for the Defense Civilian Personnel\n         Data System - Washington Headquarters Services\n         (Report No. 98-143)\n\n       We are providing this audit report for review and comment. This is the final of\nfour reports on the Defense Civilian Personnel Data System. We considered\nmanagement comments on a draft of this report in preparing it.\n\n       DOD Directive 7650.3 requires that all recommendations be resolved promptly.\nAs a result of management comments, we revised Recommendation 1.c. Accordingly,\nwe request that the Director for Personnel and Security, Washington Headquarters\nServices, provide comments on Recommendation 1.c., by August 3, 1998.\n        We appreciate the courtesies extended to the audit staff. Questions on the audit\nshould be directed to Ms. Mary Lu Ugone at (703) 604-9049 (DSN 664-9049) or\nMs. Cecelia A. Miggins at (703) 604-9046 (DSN 6649046). See Appendix F for the\nreport distribution. The audit team members are listed inside the back cover.\n\n\n\n\n                                         Robert J. ~ieberman\n                                      Assistant Inspector General\n                                             for Auditing\n\x0c\x0c                         Office of the Inspector   General,   DOD\n\nReport No. 98-143                                                         June 3,1998\n   (Project No. 7RE-3006.03)\n\n         Information Assurance for the Defense Civilian Personnel\n             Data System - Washington Headquarters Services\n\n\n                                 Executive Summary\n\nIntroduction.   This report is the last of four reports in our ongoing review of the\nDefense Civilian Personnel Data System. The previous reports discussed acquisition\nmanagement controls for the Defense Civilian Personnel Data System, information\nassurance controls for the overall system, and information assurance controls for the\nDefense Civilian Personnel Data System as it related to Navy. The Defense Civilian\nPersonnel Data System currently in operation is a legacy automated information system\nthat processes sensitive-but-unclassified information for at least 750,000 DOD civilian\npersonnel records. The DOD is modernizing the Defense Civilian Personnel Data\nSystem as it regionalizes the delivery of civilian personnel service into 22 regional\nservice centers and approximately 300 customer support units. The modem Defense\nCivilian Personnel Data System is scheduled to replace the legacy system when\nregionalization is completed. The Washington Headquarters Services, Human\nResource Services Center, will serve as one of the three Defense agency regions and\nserves seven customer support units, processing approximately 10,ooO personnel\nrecords.\n\nAudit Objectives.    The overall audit objective was to evaluate the adequacy of\ninformation assurance for the Defense Civilian Personnel Data System at Washington\nHeadquarters Services. Specifically, we evaluated security planning, risk analysis, and\nsecurity management. We did not evaluate the security of network and\ncommunications infrastructure because DOD resources were not available to conduct\nvulnerability assessments. We also reviewed the management control program as it\napplied to the audit objectives.\n\nAudit Results. Washington Headquarters Services has a security policy, security plan,\ncontingency plan, and system access and physical security controls in place; however,\nit needs to improve information assurance for the Defense Civilian Personnel Data\nSystem. Without adequate information assurance controls, Washington Headquarters\nServices cannot ensure the confidentiality, integrity, and availability of more\nthan 10,000 personnel records. See Part I for the complete discussion and Appendix A\nfor details of the review of the management control program.\nCorrective Actions Taken or Planned. Washington Headquarters Services initiated\nthe purchase of security software that will work with its recently purchased fiiwall.\nWashington Headquarters Services plans to use the security software to manage and\n\x0caudit all servers on the network and to perform a systems security risk-and-\nvulnerability assessment. Also, Washington Headquarters Services is incorporating an\nannual mandatory computer security awareness training course in accordance with the\nComputer Security Act of 1987.\n\nSummary of Recommendations. We recommend that the Director for Personnel and\nSecurity, Washington Headquarters Services, improve the information assurance\nprogram by directing the appropriate security personnel to conduct a risk analysis to\nidentify and define overall system threats and vulnerabilities; conduct a systems test and\nevaluation; and establish a memorandum of agreement with customer support units to\ncomplete a security plan, contingency plan, and system accreditation and to conduct a\nrisk analysis, as well as systems test and evaluation. We also recommend that the\nTechnical Director, Directorate of Personnel Data Systems, Air Force Personnel\nCenter, coordinate with Washington Headquarters Services training requirements for\ndesignated security personnel for the Defense Civilian Personnel Data System\ninformation assurance program.\n\nManagement Comments. The Director, Washington Headquarters Services,\nconcurred with all but one recommendation, stating that no command and control\nrelationship exists between the Washington Headquarters Services Regional Service\nCenter and the customer support units. He noted that each customer support unit is\nresponsible for completing its own security plan, security policy, contingency plan,\nsystem accreditation, risk analysis, and systems test and evaluation. The Department of\nthe Air Force concurred with the recommendation and initiated needed actions. See\nPart I for a discussion of management comments and Part III for the complete text of\nthe management comments. Also, see Appendix E for a discussion of management\ncomments on the finding.\n\nAudit Response. The Washington Headquarters Services comments were partially\nresponsive. Despite the lack of a command and control relationship between the\nWashington Headquarters Services Regional Service Center and the customer support\nunits, risks exist in relation to the confidentiality, integrity, and availability of\npersonnel data processed using the Defense Civilian Personnel Data System. Although\neach customer support unit is responsible for completing its own security requirements,\nthe customer support units can access the Washington Headquarters Services Regional\nService Center regional database. The Washington Headquarters Services Regional\nService Center therefore should seek assurance that the customer support units have\nadequately implemented security within their information technology environments\nbefore allowing access to its regional database. A command and control relationship\nshould not be necessary. We request that the Washington Headquarters Services\nreconsider its position on the revised recommendation to establish a memorandum of\nagreement with its customer support units and provide further comments by\nAugust 3, 1998.\n\n\n\n\n                                            ii\n\x0cTable of Contents\nExecutive Summary                                                         i\n\nPart I - Audit Results\n\n      Audit Background                                                    2\n      Audit Objectives                                                    3\n      Information Assurance Program                                       4\n\nPart II - Additional Information\n\n      Appendix A. Audit Process\n        Scope and Methodology                                            18\n        Management Control Program                                       19\n      Appendix B &mmry of Prior Coverage                                 20\n      Appendix C Glossary                                                24\n      Appendix D Configuration for the Defense Civilian\n                   Personnel Data System                                 27\n      Appendix E Management Comments on the Finding and Audit Response   28\n      Appendix F Report Distribution                                     31\n\n\nPart III - Management Comments\n\n      Washington Headquarters Services Comments                          34\n      Department of the Air Force Comments                               43\n      Civilian Personnel Management Service Comments                     50\n\x0c\x0cPart I - Audit Results\n\x0cAudit Background\n\n    Defense Civilian Personnel Data System. The Assistant Secretary of Defense\n    (Command, Control, Communications, and Intelligence) designated the Defense\n    Civilian Personnel Data System (DCPDS) as an interim standard system in an\n    April 22, 1991, memorandum. The memorandum designated the Secretary of\n    the Air Force as the executive agent for the DCPDS. At that time, DCPDS\n    consisted of a core system, the Air-Force-developed Personnel Data System-\n    Civilian, plus distinct Army and Navy versions of Personnel Data System-\n    Civilian, Since 1991, DOD has transitioned the Military Departments and most\n    Defense agencies to a standard DCPDS. The modem DCPDS program will\n    provide a seamless automated information system that will provide support for\n    personnel policy actions and personnel decisions during peacetime,\n    contingencies, and wartime. The modem DCPDS will support all DOD\n    Components worldwide and will be used by personnel officials, employees,\n    managers, and senior leadership at all levels of DOD operations throughout the\n    world. The modem DCPDS is envisioned to enable one personnel specialist to\n    provide personnel services to about 100 civilian personnel. The modem\n    DCPDS is also envisioned to eliminate duplicative DOD Component and\n    Defense agency personnel system costs and to reduce maintenance costs for\n    mainframe computers. The current operational DCPDS supports the Military\n    Departments and Defense agencies and consists of DCPDS software applications\n    called personnel process improvements. The personnel process improvements\n    are an important element in migrating to the modem system. The personnel\n    process improvements application programs provide electronic means to\n    generate, route, and process personnel actions; create and classify positions;\n    initiate, route, and track training requests; and access current personnel database\n    and associated data from other functional areas. The functionality of the\n    personnel process improvement software applications will be included in the\n    modem DCPDS. The DCPDS interim system is designed to improve and\n    enhance personnel staffs during the DOD transition to a downsized workforce.\n\n    Washington Headquarters Services. In November 1993, the Secretary of\n    Defense, by Program Decision Memorandum, directed the Defense agencies to\n    consolidate their civilian personnel operations into three regional service centers\n    (RSCs) from FY 1995 through FY 1998. The RSCs will be the repository for\n    regional DCPDS databases and for official personnel files. In establishing the\n    RSCs, economies of scale will be gained by concentrating personnel support\n    functions at one location. Approximately 60 percent of the current personnel\n    operations workload will migrate from agency personnel offices to the RSC.\n    The remaining workload will be completed in the customer service centers that\n    are managed by the agencies. The key element to achieving the expected cost\n    benefits and other efficiencies is the electronic connections among agency\n    managers and supervisors, the customer support units (CSUs), and the RSC,\n    which collectively will service approximately 10,000 employees. In May 1994,\n    the Defense Agencies Planning Team developed a regionalization concept plan\n\n\n\n                                         2\n\x0c     that would create a National Capital Region in the Washington, D.C.,\n     Metropolitan Area in FY 1996, with two additional regions to be established in\n     FYs 1997 and 1998, respectively. Washington Headquarters Services (WHS)\n     would manage the RSC and would consolidate portions of the WHS civilian\n     personnel offices, the Uniformed Services University of the Health Sciences,\n     the Defense Information Systems Agency, the Defense Investigative Service, the\n     On-Site Inspection Agency, the Defense Nuclear Agency, and the Joint Staff.\n\n\nAudit Objectives\n\n     The overall audit objective was to evaluate the adequacy of information\n     assurance for the DCPDS at WHS. Specifically, we evaluated the security\n     planning, risk analysis, and security management. We did not evaluate the\n     security of network and communications infrastructure because DOD resources\n     were not available to conduct vulnerability assessments. We also reviewed the\n     management control program as it applied to the audit objectives. See\n     Appendix A for a discussion of the audit scope and methodology and the review\n     of the management control program. Appendix B provides a summary of prior\n     coverage related to the audit objectives.\n\x0c           Information Assurance Program\n           WHS possesses a security policy, security plan, and contingency plan,\n           and has system access and physical security controls in place. However,\n           WI-IS needs to improve information assurance for DCPDS because it did\n           not have the required information assurance controls in place to do the\n           following:\n\n                   l  conduct a risk analysis for its organization to identify and\n           define overall system threats and vulnerabilities as required by DOD\n           Directive 5200.28, \xe2\x80\x9cSecurity Requirements for Automated Information\n           Systems (AISs),\xe2\x80\x9d March 21, 1988 (The Directive);\n                   l   complete a systems security test and evaluation; or\n\n                   l  obtain assurance that its CSUs completed a security plan,\n           contingency plan, and system accreditation and conduct a risk analysis\n           and systems test and evaluation.\n\n           Additionally, the DCPDS functional and acquisition program managers\n           did not coordinate with WHS to provide training requirements for\n           designated security personnel for the DCPDS information assurance\n           program.\n\n           As a result, without those controls, WHS cannot ensure the\n           confidentiality, integrity, and availability of more than 10,000 personnel\n           records.\n\n\nRequirements for Information Assurance Controls\n\n    The DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for Automated\n    Information Systems (AISs),\xe2\x80\x9d March 21,1988. The Directive states that at a\n    minimum, a risk management program should be in place to determine how\n    much protection is required, how much exists, and the most economical way of\n    providing the needed protection. According to the Directive, risk management\n    is the total process of identifying, measuring, and minimizing uncertain events\n    affecting automated information system resources. It includes conducting a risk\n    analysis, cost benefit analysis, safeguard selection and implementation, security\n    test and evaluation, and systems review. A risk analysis examines system assets\n    and vulnerabilities to establish an expected loss from certain events based on\n    estimated probabilities of occurrence.\n\n    The Directive also requires a training and awareness program to provide the\n    security needs of all persons accessing the automated information systems. The\n    security training and awareness program must ensure that all persons responsible\n\x0c                                                          Information Assurance Program\n\n\n      for the automated information system or information in the system and all\n      persons who access the automated information system are aware of operational\n      and security-related procedures and risk.\n      The Computer Security Act of 1987. The Computer Security Act of 1987\n      requires computer security plans to be developed for all Federal computer\n      systems that contain sensitive information to ensure data integrity, availability,\n      and confidentiality. The Act defines sensitive information as:\n                 . . . any information, the loss, misuse, or authorized access to, or\n                 modification of which could adversely affect the national interest or\n                 the conduct of Federal programs, or the privacy of which individuals\n                 are entitled . . . .\n\n     The Privacy Act of 1974. DOD civilian personnel data are subject to\n     provisions of the Privacy Act of 1974. The Privacy Act generally requires\n     Federal agencies to safeguard personal information from disclosure to any other\n     organization or individual without the consent of the individual to whom the\n     information pertains. The Privacy Act also requires each agency to account for\n     disclosures of information to other organizations and individuals.\n\n\nResponsibilities      for DCPDS Information Assurance\n\n     The DCPDS functional and acquisition managers, and WHS and its CSUs, all\n     have shared roles and responsibilities in safeguarding the DCPDS personnel\n     data. The organizations must fulfill their responsibilities to achieve information\n     assurance for DCPDS.\n\n     Directorate of Personnel Data Systems Responsibilities. According to the\n     Air Force Personnel Center Pamphlet 38-1, \xe2\x80\x9cOrganizations and Functions, \xe2\x80\x9d\n     April 14, 1997, the Directorate of Personnel Data Systems is responsible for\n     establishing, directing, and managing communications-computer systems\n     security policy and procedures covering DCPDS as it extends to all\n     organizational levels of Federal and DOD organizations and civil agencies.\n\n     RSC Responsibilities. The WHS RSC maintains its own domain and is\n     responsible for instituting its own security protection mechanisms and\n     procedures as well as for implementing the minimum security requirements\n     needed for systems to be secure in accordance with DOD regulations. To meet\n     minimum security requirements, WHS must accredit its automated information\n     system. An accreditation is the approval to operate in a particular security\n     mode using prescribed safeguards. Part of the accreditation process is\n     performing a risk analysis of system assets and vuhrerabilities to establish an\n     expected loss from certain events based on estimated probabilities of\n     occurrence.\n\n\n\n\n                                              5\n\x0cInformation Assnrance Program\n\n\n      CSU Responsibilities.    The CSU systems architecture consists primarily of a\n      desktop personal computer that processes sensitive-but-unclassified data. To\n      achieve appropriate measures against threat and vulnerabilities, each CSU is\n      responsible for conducting a risk analysis to identify most risks and threats\n      associated with each workstation that processes personnel data.\n\n\nExisting Controls\n\n      Systems Access Controls. DOD Standard 5200.28-STD, \xe2\x80\x9cDepartment of\n      Defense Trusted Computer Security Evaluation Criteria, n December 1985,\n      requires that access to the system is not given to individuals lacking proper\n      authority. Systems access controls were in place at WHS and its CSUs. The\n      RSC generates and controls passwords for access to DCPDS and the personnel\n      process improvements suites. All new users must attend training for the\n      personnel process improvements suites before obtaining access to the DCPDS\n      and the personnel process improvements suites. The system administrator\n      determines the level of access granted to new users based on a matrix received\n      from the CSU. The CSU determines whether requested access is appropriate,\n      based on the responsibilities and duties of the user. Password expiration is not\n      automatically required by the system; however, users are encouraged to change\n      their passwords periodically.\n\n      Physical Security. The Directive states that, as a minimum security\n      requirement, automated information systems hardware, software,\n      documentation, and all classified and sensitive-but-unclassified data handled by\n      the automated information system must be protected to prevent unauthorized\n      disclosure, destruction, or modification. The Directive also states that software\n      development and related activities must be physically controlled and protected\n      when the software is used for handling classified or. sensitive-but-unclassified\n      information. Physical security controls were in place at WHS and its CSUs.\n      Specifically, at WHS, visitors are required to obtain temporary visitor badges\n      upon entry into the WHS RSC building; servers and network components are\n      located in a locked room that is not accessible to unauthorized personnel; and\n      visitors are escorted while in the computer room facilities. Physical security\n      controls at the On-Site Inspection Agency consist of 24-hour security guards at\n      the building\xe2\x80\x99s main entrance, card readers at each entrance, and escorting\n      visitors without a security clearance; a badge requirement for authorized\n      personnel for entry after normal work hours; and camera use. Authorized\n      personnel are required to enter their pin numbers into keypads to gain access to\n      the computer room. Physical security controls at the Joint Staff consist of\n      access being limited to those who have the required clearances and access\n      authorization. The barriers include guards, locks, vaults, security containers,\n      closed circuit television cameras, and intrusion detection alarm systems.\n\x0c                                                   Information Assurance Program\n\n\nAdequacy of the Information Assurance Program for the\nDefense Civilian Personnel Data System\n\n    WHS did not have an adequate information assurance program for DCPDS.\n    Specifically, WHS did not perform a risk analysis and a systems security test\n    and evaluation. It also did not establish an annual mandatory security training\n    and awareness program. The DCPDS interconnectivity, with numerous\n    information systems and use of the Internet to transfer sensitive personnel data,\n    demands an information assurance program to protect the confidentiality,\n    integrity, and availability of data processed. The underlying requirement of an\n    information assurance program for WHS is to provide reasonable assurance that\n    personnel information that DCPDS processes is reliable and properly\n    safeguarded.\n    An  information assurance program should address key issues such as planning,\n    risk management, and accreditation. The program would provide for collecting\n    infomiation on the organization\xe2\x80\x99s security position; planning for program\n    implementation; analyzing, quantifying, and countering risks; planning for\n    disaster recovery; implementing tests; compiling accreditation documentation;\n    and accrediting the system, network, or both. Key documents to be developed\n    as a result of performing the tasks should include the security policy and plan,\n    risk assessment, contingency plan, systems test and evaluation, and a signed\n    statement of accreditation by the designated approving authority. The adequacy\n    of the information assurance program is determined based on the completion\n    and implementation of the documents as well as implementation of system\n    access controls, physical security controls, and an adequate security training and\n    awareness program.\n\n\nInformation Assurance Control Documentation\n\n    DOD guidance requires that organizations processing sensitive-but-unclassified\n    data establish and implement an information assurance program. An\n    information assurance program consists of developing and implementing\n    documentation such as a security policy, security plan, contingency plan, and\n    systems security test and evaluation, and having a signed statement of\n    accreditation by the designated approving authority. In addition, WHS and its\n    CSUs must have system access controls, physical security controls, and an\n    adequate security training and awareness program in place.\n    Security Policy. DOD Standard 5200.2%STD, \xe2\x80\x9cDepartment of Defense\n    Trusted Computer Security Evaluation Criteria, n December 1985, states that      an\n    explicit and well-defined security policy must be enforced so that no one can\n    access the system without the proper authority. It requires security policy to\n    reflect the laws, regulations, and general policies from which it is derived.\n    WHS and its CSUs developed and implemented security policies for its\n    organizations.\n\n\n\n\n                                        7\n\x0cInformation Assurance Program\n\n\n      Security Plan. The Computer Security Act of 1987 requires computer security\n      plans to be developed for all Federal computer systems that contain sensitive\n      information to ensure their integrity, availability, and confidentiality. The\n      security plan describes the strategy for implementing information assurance and\n      establishes a methodology for validating the security requirements identified in\n      the security policy. Both WHS and the Joint Staff developed a security plan\n      that establishes a formal security policy and defines the organizational\n      mechanisms necessary for implementation and enforcement. Although the On-\n      Site Inspection Agency\xe2\x80\x99s security policy stated that a system security plan will\n      be prepared and maintained for all automated information systems, including\n      networks processing classified or sensitive-but-unclassified information, it did\n      not provide a completed security plan. Without an established security plan, the\n      On-Site Inspection Agency has no assurance that it has developed a strategy for\n      implementing information assurance controls and a methodology for validating\n      security requirements.\n\n     Contingency Plan. The Directive requires that contingency plans be developed\n     and tested to ensure that automated information system security controls\n     function reliably and, if they do not, that adequate backup functions are in place\n     to ensure that security functions are maintained continuously during interrupted\n     service. The Directive also states that if data are modified or destroyed,\n     recovery procedures must be in place. WHS developed a Disaster Recovery\n     Plan, which is a contingency plan outlining the procedures for recovering the\n     primary RSC functions from disruption of services. The primary RSC functions\n     include providing regional database access to the CSUs and the personnel\n     specialists, providing capability for updating the regional database from the\n     DCPDS located at Randolph Air Force Base, and providing RSC employees\n     access to the RSC Administration Servers. The purpose of the Disaster\n     Recovery Plan is to minimize the number of decisions that must be made\n     following a disruption of service. The plan is divided into two sections: the\n     Continuity of Operations Plan and the Emergency Procedures Plan. The\n     Continuity of Operations Plan addresses procedures that must be followed when\n     extended systems outages occur. It also outlines a plan of action to recover\n     from the loss of communications capabilities to network and power outages and\n     hardware failures of the RSC equipment. The Emergency Procedures Plan\n     provides guidance to the RSC System Administrators on the procedures\n     necessary for the system to be shut down and brought back on line safely.\n\n     The Joint Staff and the On-Site Inspection Agency did not provide contingency\n     plans. According to the Joint Staff, the development of a contingency plan is\n     based on each organization\xe2\x80\x99s determination of whether the applications on its\n     network are critical. According to the Joint Staff, Chief of Security Division,\n     DCPDS is considered critical, and the Joint Staff should have addressed\n     procedures for recovery from disruption of services. According to the On-Site\n\n\n\n\n                                         8\n\x0c                                                    Information Assurance Program\n\n\n     Inspection Agency, a formal contingency plan is not required for its automated\n     inf&rnation systems. As a result, &e t&o CSUs have no assnrance that they\n     can recover from a disaster or an interruption of services.\n\n\nRisk Analysis\n\n     Requirement for Risk Analysis. The Directive requires that sensitive-but-\n     unclassified information be safeguarded to ensure confidentiality, integrity, and\n     availability. It also requires systems, networks, or both to be accredited. An\n     accreditation is an approval to operate in a particular security mode using\n     prescribed safeguards. Performing a risk analysis is part of the accreditation\n     process in which an examination of system assets and vulnerabilities is\n     conducted to establish an expected loss from certain events based on estimated\n     probabilities of occurrence. In addition to developing DOD guidance requiring a\n     risk analysis, the DCPDS Acquisition Program Manager developed guidance for\n     the RSCs on the need to conduct an operational certification. According to the\n     DCPDS Acquisition Program Manager, the operational certification and risk\n     analysis checklists and guidelines were prepared and distributed to all\n     components. They were also included as attachments to a memorandum issued\n     by the DCPDS Acquisition Program Manager. In the Memorandum for\n     Component Project Managers, u Operational Certification-Regional Service\n     Centers/Risk Analysis Status, n January 13, 1997, the DCPDS Acquisition\n     Program Manager emphasized that the certification step is an integral part of the\n     process to ensure system integrity and risk analysis continuity. It further states\n     that one of the phases to the DCPDS program security process requires an initial\n     risk analysis or an update of the current analysis.\n\n     Performance of Risk Analysis. Despite the DOD Directive requiring a risk\n     analysis and the guidance provided by the DCPDS Acquisition Program\n     Manager, neither the RSC nor its CSUs -- WHS, the Joint Staff, and the On-\n     Site Inspection Agency -- conducted a risk analysis to identify security risks, to\n     determine their magnitude, and to identify areas needing-safeguards. In\n     addition, they did not conduct accreditations on their workstations to support\n     DCPDS certification and accreditation. According to the WHS Information\n     Technology Manager, the RSC did not conduct a risk analysis because it did not\n     have the necessary tools to allow it to thoroughly assess and identify all of the\n     risks and vulnerabilities. He further stated that the RSC was currently\n     procuring security software to assist it in conducting a risk analysis. The\n     Information Technology Manager stated that WHS would be in a better position\n     to assess and identify all of its risks and vumerabilities upon receipt of the\n     security software, which was received in September 1997. WHS stated that\n     failure to obtain the security software products would result in its inability to\n     complete thorough and comprehensive systems security risk-and-vulnerability\n     assessments, as well as to measure and monitor compliance with its information\n     systems security policies. WhiIe major reliance is being placed on the\n     acquisition of security software needed to conduct a risk analysis, it does not\n     release WHS from its responsibility to complete a risk analysis. WI-IS can use\n\n\n\n\n                                         9\n\x0cInformation Assurance Program\n\n\n      other alternatives to assess its systems security risks and vulnerabilities.\n      Because WHS has not performed a risk analysis, it does not know what its risks\n      and vulnerabilities are, and it does not have assurance that its system is secure\n      in accordance with DOD regulations. As a result, WHS can not ensure the\n      confidentiality, integrity, and availability of more than 10,000 personnel\n      records.\n\n     Followup With WHS by the Directorate of Personnel Data Systems.\n     Despite the DCPDS Acquisition Program Manager\xe2\x80\x99s emphasis on the high\n     priority that effective risk management and security safeguards have with\n     program management, and the need for components\xe2\x80\x99 continued support to\n     achieve appropriate measures against threats and vulnerabilities, he did not\n     assess whether the regions performed the operational certifications or risk\n     analyses. The Acquisition Program Manager also did not followup with WHS\n     to determine the status of completion or target completion dates. Specifically,\n     the Central Design Activity Security Coordinator could not provide evidence of\n     a completed operational certification and risk analysis for WHS, or a target date\n     for completion.\n\n\nOther Information Assurance Controls\n\n     Systems Security Test aud Evaluation. WHS and its CSUs provided no\n     evidence that they conducted a test and evaluation of the security of the system.\n     The objective of the systems security test and evaluation is to assess the\n     technical and nontechnical implementation of the security design and to\n     ascertain that security features affecting confidentiality, integrity, and\n     availability have been implemented. Systems should be subject to a systems\n     security test and evaluation to ensure that they meet the environmental and\n     operational security requirements.\n\n     Accreditation. The Directive requires that each automated information system\n     be accredited to operate in accordance with a designated approv\xe2\x80\x99mg authority-\n     approved set of security safeguards. As of late August, neither WHS nor the\n     On-Site Inspection Agency had au interim accreditation; however, in October\n     1997, WHS requested and received au extended interim authority to operate.\n     According to the designated approving authority for WHS, WHS was operating\n     without an interim authority from August 7, 1997, through October 6, 1997. In\n     the absence of a signed statement of accreditation, an interim authority to\n     operate should be obtained. (An interim authority to operate can be obtained in\n     90-day increments up to 1 year.) WHS is currently using the interim system\n     that should be accredited by the designated approving authority to indicate that\n     due care has been taken to protect the information in the system. A\n     reaccreditation will be required when the target system is operational if changes\n     to the interim system will affect the accredited safeguards or the prescribed\n     security requirements. As a result, WHS has no assurance that its CSU systems\n\n\n\n\n                                         10\n\x0c                                                  Information Assurance Program\n\n\n    are approved to operate using a prescribed set of safeguards at an acceptable\n    level of risk and that CSUs have taken due care to protect the information in the\n    system.\n    General Information Assurance Training and Awareness. The Directive\n    states that, as a minimum security requirement, a training and awareness\n    program must be in place for the security needs of all persons accessing the\n    automated information system. The security training and awareness program\n    should ensure that all persons responsible for the automated information system\n    or information in it and all persons who access the automated information\n    system are aware of operational and security related procedures and risk.\n    Although security awareness briefings for new users were conducted, security\n    management personnel and users of the DCPDS at WHS have not received\n    periodic annual training in computer security awareness, and an information\n    assurance training and awareness program with annual refresher classes was not\n    implemented. Until recently, management did not emphasize the importance of\n    information systems security training and awareness. According to the\n    Information Systems Security Officer, an annual training program in computer\n    security awareness had not been developed because of other higher priority job\n    assignments and insufficient time available for developing such a program. For\n    example, until recently, the routine job responsibilities of the Information\n    Systems Security Officer included writing contract statements of work, meeting\n    daily with the contractors, preparing information technology budget\n    submissions, attending the information technology budget meetings and\n    briefings, maintaining and continuously updating the inventory database, acting\n    as the network manager, and performing additional duties as assigned. One of\n    the additional duties assigned was the appointment as Information Systems\n    Security Officer that, because it was assigned as an additional duty, did not get\n    the attention needed to implement it as an adequate information assurance\n    training and awareness program. As a result, WHS has no assurance that\n    security management personnel and users have the computer security awareness\n    necessary to promote a secure system environment. According to the General\n    Services Administration Interagency Training Center, lack of awareness is one\n    of the major causes of damage to Federal Government computer operations.\n    The lack of awareness of computer users concerning the types of threats that can\n    cause damage, and the vulnerabilities that permit them to cause damage, is the\n    primary problem. Awareness and planned responses to abnormal events can\n    dramatically reduce the incidence of all other problems.\n\n\nCoor#nation With DOD Components on Training\nReqmrements\n    The DCPDS functional and acquisition program managers did not coordinate\n    with WHS in regard to providing training requirements for designated security\n    personnel, such as the Information Systems Security Manager, the Information\n    Systems Security Officer, the Network Administrator, and the System\n    Administrator for the DCPDS. The Information Systems Security Officer, the\n    Network Administrator, and the System Administrators at WHS were not\n\n\n\n                                       11\n\x0cInformation Assurance Program\n\n\n      adequately trained to perform their duties. For example, event audit logs were\n      rarely used because the Network Administrator was not trained on how to use\n      them without an overload of information that would eventually shut down the\n      system. The lack of coordination with WHS and lack of training requirements\n      addressing system-specific responsibilities for security personnel could\n      compromise the security position of the RSCs and CSUs processing personnel\n      data. As a result, required information assurance controls were not in place.\n      Without those controls, WHS can not ensure the confidentiality, integrity, and\n      availability of more than 10,000 personnel records.\n\n\nCorrective Actions Taken or Planned\n\n      In September 1997, in an effort to comply with all aspects of the required\n      security laws, WHS obtained security software that will work with its recently\n      purchased fiiewall. The security software will be used to manage and audit all\n      servers on the network. Implementing the security tools will allow the WHS\n      information technology managers to establish, manage, and enforce DOD,\n      Office of the Secretary of Defense, and directorate information technology\n      security policies, while providing a framework for integrating systems security\n      functions. The security software will be used to monitor systems security, detect\n      suspicious actions as well as patterns of abuse, and respond automatically\n      according to established security policies. WHS plans to use the security\n      software features to perform a systems security risk-and-vulnerability\n      assessment.\n      The Information Systems Security Officer at WHS is currently incorporating an\n      annual mandatory computer security awareness training course. The course will\n      be conducted at least annually, in accordance with the Computer Security Act of\n      1987, and will highlight and summarize the contents of the automated\n      information system security plan. Also, WHS plans to disseminate monthly\n      bulletins from the National Institute of Standards and Technology that address\n      computer security.\n\n\nConclusion\n\n      The DCPDS functional and acquisition managers did not coordinate with WHS\n      about providing training requirements for designated security personnel for the\n      DCPDS. Personnel designated as the Information Systems Security Manager,\n      the Information Systems Security Officer, the Network Administrator, and the\n      System Administrator neither received nor attended any system-specific\n      information assurance training addressing their roles and responsibilities.\n\n      Despite DOD requirements and guidance provided by the DCPDS Acquisition\n      Program Manager, neither WHS RSC nor its CSUs -- WHS, Joint Staff, and the\n      On-Site Inspection Agency -- conducted a risk analysis to identify security risks,\n\n\n\n\n                                          12\n\x0c                                                   Information Assurance Program\n\n\n     determine their magnitude, and identify areas needing safeguards or\n     accreditations to their workstations to support DCPDS certification and\n     accreditation.\n     Also, other information assurance controls such as a security plan, a\n     contingency plan, a systems security test and evaluation, and a signed statement\n     of accreditation by the designated approving authority were not always\n     developed, completed, and implemented.\n\n\nManagement Comments on the Finding and Audit Response\n\n    The Director, Washington Headquarters Services, and the Department of the\n    Air Force commented on the finding. Although not required to comment, the\n    Director, Civilian Personnel Management Service, also commented on the\n    finding. We revised the finding as necessary. A summary of those comments\n    and our response is in Appendix E. The full text of the comments is in Part III.\n\n\nRecommendations,         Management Comments, and Audit\nResponse\n\n    Revised Recommendation. As a result of management comments, we revised\n    draft Recommendation l.c. to clarify the nature of actions needed to improve\n    the information assurance program for DCPDS.\n\n    1. We recommend that the Director for Personnel and Security,\n    Washington Headquarters Services, direct the appropriate security\n    personnel to:\n\n           a. conduct a risk analysis for its organization to identify and define\n    overall system threats and vulnerabilities.\n    Washington Headquarters Services Comments. WHS concurred, stating that\n    a risk analysis for the WHS RSC was conducted on October 1, 1997. A copy\n    was provided to the Audit Team Leader on December 3 1, 1997, after the draft\n    report was issued.\n\n            b. conduct a systems security test and evaluation.\n    Washington Headquarters Services Comments. WHS concurred, stating that\n    a systems test and evaluation on the WHS RSC information technology\n    infrastructure will be completed by the end of the third quarter FY 1998.\n\n\n\n\n                                        13\n\x0cInformation Assurance Program\n\n\n             c. establish a memorandum of agreement with the customer support\n      units that access the regional database. The memorandum of agreement\n      should require the customer support units to complete a security plan,\n      contingency plan, and system accreditation and to conduct a risk analysis\n      and systems test and evaluation.\n      Washington Headquarters Services Comments. WHS nonconcurred with the\n      draft report recommendation, stating that no command and control relationship\n      exists between the WHS RSC and the CSUs and that each CSU is responsible\n      for completing its own security plan, security policy, contingency plan, and\n      system accreditation and for conducting a risk analysis and systems test and\n      evaluation. Each CSU is responsible to its designated approving authority for\n      obtaining approval to operate. The introduction of the DCPDS client software\n      into the information technology environment of each CSU should trigger the\n      information technology managers to conduct a new risk analysis and obtain an\n      updated approval from the respective designated approving authority. Because\n      WHS has no relationship with the CSU command structure, other than\n      providing human resource management support, no authority currently exists for\n      WHS to conduct an independent risk analysis of any of its customers\xe2\x80\x99\n      workstations or other information technology components.\n\n     Audit Response. The WHS comments are partially responsive. Despite the\n     lack of a command and control relationship between the WHS RSC and the\n     CSUs, risks exist in relation to the integrity, availability, and confidentiality of\n     personnel data processed using the DCPDS, and need to be addressed.\n     Although each CSU is responsible for completing its own security plan, security\n     policy, contingency plan, system accreditation, risk analysis, and systems test\n     and evaluation for its information technology environment, the CSUs can access\n     the WHS RSC regional database, which processes more than 10,000 personnel\n     records. The WHS RSC should seek assurance that the CSUs have adequately\n     implemented security within their information technology environments. We\n     have revised our recommendation to have WHS establish a memorandum of\n     agreement with the CSUs that access the regional database to obtain assurance\n     that the CSUs complete a security plan, contingency plan, and system\n     accreditation and that they conduct a risk analysis and systems test and\n     evaluation. The recommendation is not implying that WHS complete required\n     security documentation or conduct an independent risk analysis for its CSUs.\n     The memorandum of agreement should be used as a tool for obtaining assurance\n     that the CSUs have adequately implemented security and are exemplifying good\n     security practices before fielding new interim system software releases and\n     granting the CSUs access to the regional database. We request that WHS\n     provide comments on the revised recommendation.\n\n     2. We recommend that the Technical Director, Directorate of Personnel\n     Data Systems, Air Force Personnel Center, develop and implement\n     procedures to coordinate with Washington Headquarters Services and its\n\n\n\n\n                                          14\n\x0c                                             Information Assurance Proeram\n\n\ncustomer support units and other DOD Components on establishing system-\nspecific training requirements for designated security personnel for the\nDefense Civilian Personnel Data System information assurance program.\nDepartment of the Air Force Comments. The Department of the Air Force\nconcurred, stating that in conjunction with the Civilian Personnel Management\nService, the DCPDS acquisition program management, is developing a System\nSecurity Annex to the DCPDS Training Support Plan. The Annex will be\nprovided to DOD Components to plan, develop, and execute training strategies\nfor functional and technical personnel involved in the operations of the DCPDS.\nThe Annex will also contain the knowledge, skills, abilities, and training\nrequirements for network security officers and users at all operational levels.\nThe System Security Annex was scheduled to be completed by July 1998.\nAdditionally, starting in May 1998, the DOD Components will be required to\nbrief the status of their risk analysis and operational certifications at DCPDS\nComputer Security Working Group meetings.\n\n\n\n\n                                   15\n\x0c\x0cPart II - Additional Information\n\x0cAppendix A. Audit Process\n\n\nScope and Methodology\n\n    We conducted an on-site review of information assurance policies, procedures,\n    and practices. We reviewed the information planning documents such as the\n    security policy, security plan, risk analysis, contingency plan, and security test\n    and evaluation dated from August 1991 through November 1997. We\n    determined whether systems access controls, physical security, and security\n    training and awareness programs were developed and implemented. We\n    reviewed user, system, and network administrator security practices. We\n    identified and interviewed key security personnel such as the Information\n    Systems Security Manager, Information Systems Security Officer, System\n    Administrator, Network Administrator, and DCPDS managers. We conducted\n    interviews to determine the level of training provided for DCPDS, personnel\n    process improvements software applications, and information assurance. We\n    did not rely on computer-processed data to accomplish the overall audit\n    objective.\n\n    Scope Limitation. We did not evaluate the security of network and\n    communications infrastructure because DOD resources were not available to\n    conduct vulnerability assessments.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within DOD and the Federal Government. Further details are\n    available upon request.\n\n    Audit Period and Standards. We performed this economy and efficiency\n    audit from June through November 1997 in accordance with auditing standards\n    that the Comptroller General of the United States issued, as implemented by the\n    Inspector General, DOD. Accordingly, we included tests of management\n    controls considered necessary.\n\n\n\n\n                                         18\n\x0c                                                       Appendix A. Audit Process\n\n\nManagement Control Program\n\n    DOD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program,\xe2\x80\x9d August 26,\n    1996, requires DOD organizations to implement a comprehensive system of\n    management controls that provides reasonable assurance that programs are\n    operating as intended and to evaluate the adequacy of the controls.\n    Scope of Review of the Management Control Program. We reviewed the\n    WHS management controls as they related to the DCPDS information assurance\n    program. Specifically, we reviewed WHS controls for security planning, risk\n    analysis, and security management for DCPDS. We also reviewed\n    management\xe2\x80\x99s self-evaluation for those controls.\n\n    Adequacy of Management Controls.          We identified material management\n    control weaknesses for WHS, as defined by DOD Directive 5010.38. The\n    controls for information assurance were inadequate to ensure the confidentiality,\n    integrity, and availability of the information stored on and processed by\n    DCPDS. The recommendations in this report, if implemented, will improve the\n    controls for protecting DCPDS. A copy of this report will be provided to the\n    senior official responsible for management controls at WHS and the Air Force\n    Personnel Center.\n\n    Adequacy of Management\xe2\x80\x99s        Self-Evaluation. Management did not identify\n    the DCPDS program or the computer security as an assessable unit and,\n    therefore, did not identify or report the material management control\n    weaknesses identified by the audit. Management did not conduct an evaluation\n    for FY 1996. Management did not reevaluate all assessable units to ensure that\n    the management controls are addressed for all risk areas in the Personnel and\n    Security Division after the regionalization efforts in FY 1996, as they planned.\n\n\n\n\n                                       19\n\x0cGeneral Accounting Office\n\n     GAO Report No. AIMD-96-144 (OSD Case No. 1213), \xe2\x80\x9cDoD General\n     Computer Controls: Critical Need to Greatly Strengthen Computer Security\n     Program,\xe2\x80\x9d September 30, 1996. The report discusses the General Accounting\n     Office evaluation of the general computer controls at several large Navy and\n     Marine Corps computer installations and at selected Defense Information\n     Systems Agency megacenters. The report notes security weaknesses that would\n     allow hackers and legitimate users to improperly access, modify, or destroy\n     sensitive DOD data. The report recommended a centralized security management\n     program with defined responsibilities, periodic reviews, and monitoring and\n     reporting improvement actions. DOD management concurred with all findings\n     and recommendations.\n\n    GAO Report No. AIMD-96-84 (OSD Case No. 1150), \xe2\x80\x9cInformation\n    Security: Computer Attacks at Department of Defense Pose Increasing\n    Risks,\xe2\x80\x9d May 22, 1996. The report discusses the General Accounting Office\n    review of the extent to which DOD computers are being attacked, the potential\n    for damage, and the challenges faced in responding to the attacks. The General\n    Accounting Office noted that attacks are increasing and damaging and are a\n    threat to national security. The General Accounting Office concluded that\n    policies are out of date and inconsistent and that many users are not aware of the\n    magnitude of the problem. The report recommended that the Secretary of\n    Defense strengthen the DOD information systems security program by improving\n    policies and procedures, increasing user awareness, setting standards, monitoring\n    security, and establishing responsibility and accountability. DOD management\n    agreed with the report\xe2\x80\x99s findings and recommendations.\n\n\nOffice of the Inspector General, DOD\n\n    Report No. 98-127, \xe2\x80\x9cInformation Assurance of the Defense Civilian\n    Personnel Data System - Navy,\xe2\x80\x9d April 29, 1998. The audit objective was to\n    evaluate the adequacy of information assurance for DCPDS as it related to the\n    Navy. Specifically, the audit evaluated DCPDS security planning, risk analysis,\n    and security management. The report concludes that the Navy Pacific Region\n    and two of its three human resources offices have made DCPDS information\n    assurance a high priority and have computer security programs in place.\n    However, at the beginning of the audit, its Human Resources Office Marine\n    Corps Base Hawaii Kaneohe Bay did not have a security program in place. As a\n    result of the :;tidequate information assurance controls at Human Resources\n    Office Marir:: Corps Base Hawaii Kaneohe Bay, the Navy cannot ensure the\n\n\n\n                                        20\n\x0c                                    Appendix B. Summary of Prior Coverage\n\n\nconfidentiality, integrity, and availability of more than 209,000 Navy and\nMarine Corps civilian personnel records. The Human Resources Office Marine\nCorps Base Hawaii Kaneohe Bay has taken corrective action during the audit by\ndeveloping a security policy and interim authority to operate and by conducting a\nsystem security test and evaluation. It has also appointed key security\nmanagement positions and established a risk analysis safeguard checklist to\nidentify and define overall system threats and vulnerabilities for the computers\nthat run the Defense Civilian Personnel Data System, and it has initiated ongoing\nsecurity awareness training in accordance with the Computer Security Act of\n1987. The report recommended that the Human Resources Office Marine Corps\nBase Hawaii Kaneohe Bay improve the adequacy of its Defense Civilian\nPersonnel Data System information assurance program by completing an overall\nsecurity plan and a contingency plan. The Department of the Navy concurred\nwith the recommendations and has initiated needed actions.\n\nReport No. 98-082, \xe2\x80\x9cInformation Assurance of the Defense Civilian\nPersonnel Data System,\xe2\x80\x9d February 23, 1998. The audit objective was to\ndetermine the adequacy of the information assurance program for major\nautomated information systems, specifically to evaluate DCPDS security\nplanning, risk analysis, and security management. The report concludes that the\nDCPDS information assurance program did not have adequate controls in place\nto safeguard DCPDS data and resources. As a result, DCPDS has high risks for\nunauthorized system access, intentional and unintentional alteration and\ndestruction of data, and denial of service to authorized users. The report\nrecommended strengthened oversight and management of DCPDS information\nassurance. Also, the report recommended the establishment of information\nassurance functional requirements and the implementation of information\nassurance measures to protect DOD civilian personnel data. The Director,\nCivilian Personnel Management Service, stated that, by acquiring C-2 compliant\nsystem hardware and software, no perceivable threats would be in the DCPDS\nprocessing environment that must be countered by system design. In addition,\nthe Director stated that a computer security response team, representing the\nMajor Automated Information Systems Review Council,_identified risks to\nDCPDS through a facilitated risk assessment program, and the acquisition\nprogram manager is developing an action plan to mitigate program risks. The\nDirector nonconcurred with a draft recommendation to revise the operational\nrequirements document to include validated threat information and also\nnonconcurred with the threat requirements and funding to protect the DOD\ncivilian data. The Director stated that the facilitated risk analysis provided a\ncomprehensive list of threats and is a more appropriate analysis for the DCPDS.\nThe Director also stated that he does not recognize coordination with the\nacquisition program manager as a problem and that there are no funding\ndeficiencies for protecting DOD civilian personnel data. The Director agreed\nwith the recommendation to coordinate and approve a certification and\naccreditation plan to protect the DCPDS and commented that his office is\ndetermining which organizational component will serve as the operating DCPDS\ndesignated approving authority. Air Force management and the Assistant\nSecretary of Defense (Command, Control, Communications, and Intelligence)\nmanagement agreed with the report\xe2\x80\x99s findings and recommendations.\n\n\n\n                                   21\n\x0cAppendix B. Summary of Prior Coverage\n\n\n     Report No. 98-024, \xe2\x80\x9cSecurity Controls Over Systems Serving the DoD\n     Personnel Security Program,\xe2\x80\x9d November 19, 1997. The audit objective was\n     to evaluate security controls over the computer system serving the DOD\n     personnel security program, which the Defense Investigative Service administers.\n     The report states that the Defense Investigative Service did not have adequate\n     controls to protect personnel security systems and data from compromise.\n     Therefore, the Defense Investigative Service cannot ensure that unauthorized\n     individuals can be prevented from accessing, modifying, or destroying the highly\n     sensitive DOD personnel security information that it administers. The report\n     recommended the Defense Investigative Service communicate specific security\n     requirements, modify Memorandums of Agreement and contracts to include\n     system security, develop and implement access control policies, isolate critical\n     resources in the system architecture, and improve physical security. The\n     Defense Investigative Service did not agree with the overall characterization of\n     its system security status, but agreed with all recommendations and initiated\n     responsive actions.\n\n     Report No. PO 97-049, \xe2\x80\x9cDOD Management of Information Assurance\n     Efforts to Protect Automated Information Systems,\xe2\x80\x9d September 25,\n     1997. The audit objective was to determine the effectiveness of DOD\n     management of information assurance efforts to protect automated information\n     systems. The report concludes that the security safeguards and practices that\n     protect DOD automated information systems need improvement. Inefficient and\n     ineffective implementation of the Defense-Wide Information Systems Security\n     Program, outdated policies and procedures, inadequate direction and oversight,\n     and lack of accountability for information systems security management controls\n     contributed to the inadequate security safeguards. The report recommended\n     developing procedures to determine the Defense information infrastructure\xe2\x80\x99s\n     security posture, developing an information assurance strategic plan, and\n     incorporating accountability requirements for personnel responsible for\n     safeguarding DOD automated information systems. The Acting Assistant\n     Secretary of Defense (Command, Control, Communications, and Intelligence)\n     generally concurred with the finding and recommendations and, in coordination\n     with the Services, Joint Staff, and Defense agencies, was establishing an\n     integrated management process to extend DOD oversight of information\n     assurance programs and activities to all DOD Components.\n\n\nAir Force Audit Agency\n     Project No. 96054027, \xe2\x80\x9cData Communications Security,\xe2\x80\x9d April 15,\n     1997. The audit objective was to determine whether the Air Force adequately\n     protects sensitive-but-unclassified information transmitted over the Air Force\n     Internet. The report concludes that Air Force systems continued to transmit\n     sensitive-but-unclassified information unprotected over the Air Force Internet\n     because the Air Force system managers had not conducted a risk analysis. Users\n     and system managers of 5 of the 11 systems examined were not aware of the\n     increased risk of using the Air Force Internet or of the sensitive nature of the\n\n\n\n                                        22\n\x0c                                         Appendix B. Summary of Prior Coverage\n\n\n    information. The Air Force Audit Agency recommended a risk analysis for each\n    system to identify the current risks of transmitting sensitive-but-unclassified\n    information over the Air Force Internet, as well as emphasizing protection\n    requirements to the designated approving authorities. Air Force management\n    officials agreed with the overall audit results and planned responsive actions.\n    Project No. 93058001, \xe2\x80\x9cReview of Personnel Concept III System Security\n    and Equipment Management,\xe2\x80\x9d April 3, 1995. The audit objective was to\n    determine whether selected security and control procedures were properly\n    implemented in the Personnel Concept III computer system. The report\n    concludes that the Air Force did not implement adequate security access\n    protection for the system and did not properly account for computer equipment.\n    The Air Force Audit Agency recommended implementing separation-of-duty\n    requirements, maintaining consolidated accreditation databases, identifying\n    system threats and areas requiring additional protection, and implementing\n    proper control and authorization of passwords. Air Force management officials\n    agreed with the overall audit results and planned responsive actions.\n\n\nOther Related Coverage\n    Defense Science Board Task Force, \xe2\x80\x9cInformation Warfare-Defense (IW-D),\xe2\x80\x9d\n    November 21, 1996. The Defense Science Board Task Force was established to\n    study the protection of information interests of national importance through a\n    credible information warfare defensive capability. The report concludes that\n    action is needed to defend against possible information warfare attacks against\n    DOD systems that could affect the ability of DOD to carry out its responsibilities.\n    The task force recommended 50 actions ranging from identification of a focal\n    point within DOD for information warfare activities to allocation of\n    approximately $3 billion over the next 5 years to implement recommendations.\n\n    Joint Security Commission, 4*Redefiing Security,\xe2\x80\x9d February 28, 1994. The\n    Joint Security Commission report addresses the processes used to formulate and\n    implement security policies in DOD and the intelligence community. The Joint\n    Security Commission concluded that the clearance process was needlessly\n    complex, cumbersome, and costly. The Joint Security Commission made\n    recommendations to create a new policy structure, enhance security, and lower\n    cost by avoiding duplication and increasing efficiency.\n\n\n\n\n                                        23\n\x0cAppendix C. Glossary\n   Federal and DOD organizations have published numerous definitions for terms\n   to describe conditions, events, and key officials involved with safeguarding\n   automated information systems. We primarily used definitions from DOD\n   Directive 5200.28, \xe2\x80\x9cSecurity Requirements for Automated Information\n   Systems, \xe2\x80\x9d March 21, 1988, and definitions from other guidance authorized by\n   tbat Directive.\n   Accreditation.   Accreditation is the formal declaration by a designated\n   approving authority that a system is approved to operate in a particular security\n   mode using a prescribed set of safeguards at an acceptable level of risk.\n   Accreditation is the official management authorization for operation of an\n   information system and is based on the certification process as well as other\n   management considerations. The accreditation statement affixes security\n   responsibility with the designated approving authority and shows that due care\n   has been taken for security. (DODDirective 5200.28)\n\n   Availability. Availability is the timely, reliable access to data and information\n   services for authorized users. (DOD Directive 5200.40, \xe2\x80\x9cDODlnfonnuiion\n   Technology Security Certification and Accreditation Process, n December 30,\n   1997)\n\n   Certification. Certification is the comprehensive evaluation of the technical\n   and nontechnical security features of an information system and other\n   safeguards, made in support of the accreditation process, to establish the extent\n   to which a particular des\xe2\x80\x99gn and implementation meets a set of specified security\n   requirements. (NSTISS f No. 4009)\n\n   Certification Official. The certification official is the person responsible to the\n   designated approving authority for ensuring that security is provided for and\n   implemented throughout the life cycle of an automated information system,\n   beginning with the concept development phase through its design, development,\n   operation, maintenance, and secure disposal. (DOD Directive 5200.28)\n\n   Confidentiality. Confidentiality is the assurance that information is not\n   disclosed to unauthorized entities or processes. (NSTISSZ No. 4009)\n   Contingency Planning.    Contingency plans are developed and tested in\n   accordance with Office of Management and Budget Circular A- 130 to ensure\n   that automated information systems\xe2\x80\x99 security controls function reliably and, if\n   not, that adequate backup functions are in place to ensure that security functions\n   are maintained continuously during interrupted service. If data are modified or\n   destroyed, recovery procedures must be in place. (DOD Directive 5200.28)\n\n\n   \xe2\x80\x99 National Security Telecommunications and Information Systems Security Instruction.\n\n\n\n\n                                            24\n\x0c                                                          Appendix C. Glossary\n\n\nData\xe2\x80\x99 Integrity. Data integrity is the condition that exists when data are\nunchanged from their source and have not been accidentally or maliciously\nmodified, altered, or destroyed. (NSTISSZ No. 4009)\nDesignated Approving Authority. The designated approving authority is the\nofficial with the authority to formally assume responsibility for operating a\nsystem at an acceptable level of risk. The designated approving authority must\nbe at the organizational level, have the authority to evaluate the overall mission\nrequirements of an information system, and provide definitive directions to\nautomated information system developers or owners on the risk in the security\nposture of the system. (DOD Directive 5200.28)\nInformation Systems Security Manager.       The Information Systems Security\nManager is the person responsible for implementing the overall security\nprogram approved by the designated approving authority. The Information\nSystems Security Manager focuses on automated information system security\nand should not participate in the day-today operation of the automated\ninformation system. (National Computer Security Center-Technical\nGuideline-027)\n\nInformation Systems Security Officer.      The Information Systems Security\nOfficer is the person responsible to the designated approving authority for\nensuring that security is provided for and implemented. Specifically, the\nInformation Systems Security Officer is to:\n    l  maintain a plan for system security improvements and progress toward\nmeeting the accreditation,\n    l  evaluate known vulnerabilities to ascertain whether additional safeguards\nare needed, and\n    l  ensure that audit trails are reviewed periodically. (DOD Directive\n5200.28)\nRisk Analysis.    A risk analysis is an analysis of system assets and\nvulnerabilities to establish an expected loss from certain events based on\nestimated probabilities of occurrence. (DOD Directive 5200.28)\n\nSecurity Awareness Training.       Mandatory periodic security awareness training\nis required for all persons involved in management, use, or operation of Federal\ncomputer systems that contain sensitive information. (Computer Security Act\nof 1987, Public Law 1011-235)\n\nSecurity Mode.    The security mode is the description of the conditions under\nwhich a system operates, based on the sensitivity of the information processed\nand the clearance levels, formal access approvals, and need-to-know of its\nusers. The four modes of operations are the dedicated mode, system-high\nmode, compartment or partitioned mode, and multilevel mode.\n(NSTISSI No. 4009)\n\n\n\n\n                                    25\n\x0cAppendix C. Glossary\n\n\n      Security Test and Evaluation. A security test and evaluation is the\n      examination and analysis of the safeguards required to protect an information\n      technology system, as they have been applied in an operational environment, to\n      determine the security posture of that system. (NSTZSSZ  No.4009)\n      Threat. A threat is any circumstance or event that has the potential to cause\n      harm to an information system in the form of destruction, disclosure, adverse\n      modification of data, or denial of service. (NSTZSSZNo.4009)\n      Vulnerability. Vulnerability is weakness in an information system or its\n      components (such as system security procedures, hardware design, and\n      management controls) that could be exploited. (NSTZSSZ   No.4009)\n\n\n\n\n                                         26\n\x0cAppendix D. Configuration for the Defense\nCivilian Personnel Data System\n   DCPDS Database. The WI-IS civilian personnel records are maintained on the\n   DCPDS database at the Air Force Information Processing Activity located at\n   Randolph Air Force Base in San Antonio, Texas. The DCPDS database\n   contains more than 750,000 civilian personnel records, of which 10,000 are\n   processed by WI-IS. The CSU accesses the regional database at the RSC, which\n   updates the DCPDS database at Randolph Air Force Base.\n   DCPDS Connectivity. The DCPDS database is networked to regional data\n   bases, which, in turn, link to CSUs and agency managers and supervisors. The\n   RSC network is a Microsoft Windows NT and UNIX Hewlett Packard network\n   with a Fiber Distribution Data Interface backbone. The RSC maintains the\n   regional database that the CSUs access. A connection of the Fiber Distribution\n   Data Interface Networking Services from the router provides the RSC\n   connectivity to the Office of the Secretary of Defense.\n\n   The regional database server provides support for the human resources\n   requirements of the entire WHS region. The CSUs access the regional database\n   server for the human resources information that is contained in the database\n   resident on the server. Connectivity from the RSC to the DCPDS database at\n   Randolph Air Force Base is provided through the Non-Classified Internet\n   Protocol Router Network. The CSUs access the database using the Common\n   Desktop Environment Runtime application program from the CSU workstation\n   computers. The Common Desktop Environment Runtime application program\n   allows the CSU users to run the personnel process improvements application\n   programs directly from the user workstation computers. The personnel process\n   improvements application programs provide electronic means to generate, route,\n   and process personnel actions; create and classify positions; initiate, route, and\n   track training requests; and access current personnel database and associated\n   data from other functional areas. The personnel process improvements\n   applications effectively bypass the CSU server and move all of the functionality\n   of the server onto the workstation computer. Currently, no servers are at the\n   CSUs. WI-IS does not see the need for servers at the CSUs unless the amount\n   of data being processed increases significantly, However, according to the\n   WHS Information Technology manager, depending on the new technical and\n   architectural designs \xe2\x80\x98for the target system, the final decision on whether to place\n   servers at the CSUs will be determined by the Central Design Activity and the\n   Civilian Personnel Management Service.\n\n\n\n\n                                        27\n\x0cAppendix E. Management Comments on the\nFinding and Audit Response\n\n   The Director, Washington Headquarters Services; the Air Force; and the\n   Civilian Personnel Management Service provided comments on the finding.\n   For the full text of management comments, see Part III.\n   Washington Headquarters Services Comments on General Information\n   Assurance Training and Awareness. The Director, WHS, stated that the\n   Directorate for Personnel and Security, WHS, performs initial system security\n   training for new employees upon their entry on duty. WHS also conducts\n   annual refresher training for all of its employees. Adequacy of the training\n   materials is currently under review. WHS plans to have a completely revised\n   information system security training program by the fourth quarter of FY 1998.\n   Audit Response. According to the Information Systems Security Officer, the\n   computer security training was in the form of a briefing and was provided to\n   new employees only. We were not provided data indicating that computer\n   security training was conducted as an annual refresher to all employees.\n   According to the Information Systems Security Officer, an annual computer\n   security training and awareness course will be required for all employees.\n   During the audit, we were told that the Directorate for Personnel and Security,\n   WHS, was incorporating an annual mandatory computer security awareness\n   course that would be conducted in accordance with the Computer Security Act\n   of 1987. That corrective action was noted in the draft audit report.\n\n   Department of the Air Force Comments on Coordination With DoD\n   Components. The Department of the Air Force disagreed with the part of the\n   finding that the DCPDS functional and acquisition program managers did not\n   coordinate with WHS about their respective security management roles and\n   responsibilities for the DCPDS information assurance program. _\n\n   According to the Department of the Air Force, DCPDS program managers\n   coordinated security management roles and responsibilities with DOD\n   Component project management through working group meetings over the last\n   3 years. Chaired by DCPDS functional program management office, the\n   working group is used as a forum to develop and coordinate security policy,\n   guidelines, and documentation for the modem DCPDS. Additionally, security\n   management roles and responsibilities for the modem DCPDS are specified in\n   the modem DCPDS Security Support Plan.\n\n   The modem DCPDS Computer Security Working Group will develop a security\n   annex for the modem DCPDS Training Support Plan. The annex will identify\n   training requirements for security personnel, including the Information Systems\n\n\n\n\n                                      28\n\x0c  Appendix E. Management Comments on the Finding and Audit Response\n\n\nSecurity Manager, the Information Systems Security Officer, the Network\nAdministrator, and the System Administrator. The security annex will also\napply to the interim DCPDS.\nCivilian Personnel Management Service Comments on Coordination With\nDoD Components. The Civilian Personnel Management Service disagreed with\nthe finding and stated that the Air Force Personnel Center had coordinated with\nthe DOD Components concerning security management roles and responsibilities\nfor the interim DCPDS. Specifically, the Air Force Personnel Center provided\nsystem administrator training, manuals, and software release announcements to\nthe DOD Components covering practices and procedures for granting access to\nthe interim system. The Civilian Personnel Management Service, as the\nfunctional proponent for the DCPDS, also stated that recently it had published a\ncoordinated modem DCPDS policy and security support plan, which define the\nrespective security management roles and responsibilities for the modem\nDCPDS.\n\nThe Civilian Personnel Management Service agreed with the finding in that the\nDCPDS functional and acquisition program managers did not provide any\ntraining requirements for the designated security personnel such as the\nInformation Systems Security Manager, the Information Systems Security\nOfficer, the Network Administrator, and the System Administrator for the\nDCPDS. According to the Civilian Personnel Management Service, training\nrequirements for designated security personnel using the legacy and interim\nDCPDS were not provided. The modem DCPDS Computer Security Working\nGroup will develop a security annex for the modem DCPDS Training Support\nPlan. The annex will identify training requirements for security personnel,\nincluding the Information Systems Security Manager, the Information Systems\nSecurity Officer, the Network Administrator, and the System Administrator.\nThe security annex will also apply to the interim DCPDS.\n\nAudit Response. The draft report stated that the DCPDS functional and\nacquisition program managers did not coordinate with WHS in their respective\nsecurity management roles and responsibilities for the DCPDS information\nassurance. The statement was not meant to imply that the Air Force Personnel\nCenter did not coordinate with the DOD Components by providing system\nadministrator training, manuals, and software release announcements to the\nDOD Components\xe2\x80\x99 program. Instead, intent was to emphasize the lack of\ncoordination with DOD Components regarding the establishment of training\nrequirements for designated security personnel. To eliminate confusion, we\nhave revised the finding and clarified the report to emphasize the lack of\ncoordination for training requirements for DOD Components.\n\n\n\n\n                                   29\n\x0cAppendix E. Management Comments on the Finding and Audit Response\n\n\n     Department of the Air Force and Civilian Personnel Management Service\n     Comments on the Executive Summary and Audit Background. The\n     Department of the Air Force and the Director, Civilian Personnel Management\n     Service, stated that the language used in those elements of the audit report may\n     confuse readers because it does not distinguish between the legacy DCPDS and\n     the modern DCPDS.\n\n     Audit Response. We revised the language used in the executive summary and\n     Audit Background to distinguish between the legacy DCPDS and the modem\n     DCPDS.\n\n\n\n\n                                        30\n\x0cAppendix F. Report Distribution\n\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition and Technology\n   Director, Defense Logistics Studies Information Exchange\nUnder Secretary of Defense (Comptroller)\n   Deputy Chief Financial Officer\n   Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\nUnder Secretary of Defense for Personnel and Readiness\n   Deputy Assistant Secretary of Defense (Civilian Personnel Policy)\n   Director, Civilian Personnel Management Service\nAssistant Secretary of Defense (Public Affairs)\nDirector, Administration and Management\n   Director, Washington Headquarters Services\n      Director for Personnel and Security\nDirector, On-Site Inspection Agency\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\n\nDepartment of the Navy\nAssistant Secretary of the Navy (Financial Management and Comptroller)\nAuditor General, Department of the Navy\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nCommander, Air Force Personnel Center\n  Technical Director, Directorate of Personnel Data Systems, Air Force Personnel\n      Center\n\n\n\n\n                                          31\n\x0cAppendix F. Report Distribution\n\n\nOther Defense Organizations\nDirector, Defense Contract Audit Agency\nDirector, Defense Information Systems Agency\nDirector, Defense Logistics Agency\nDirector, National Security Agency\n   Inspector General, National Security Agency\nInspector General, Defense Intelligence Agency\n\nNon-Defense Federal Organizations and Individuals\nOffice of Management and Budget\nTechnical Information Center, National Security and International Affairs Division,\n   General Accounting Office\n\nChairman and ranking minority member of each of the following congressional\n  committees and subcommittees:\n\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nHouse Committee on Appropriations\nHouse Subcommittee on National Security, Committee on Appropriations\nHouse Committee on Governmental Reform and Oversight\nHouse Subcommittee on Government Management, Information, and Technology,\n   Committee on Government Reform and Oversight\nHouse Subcommittee on National Security, International Affairs, and Criminal Justice,\n   Committee on Government Reform and Oversight\nHouse Committee on National Security\n\n\n\n\n                                           32\n\x0cPart III - Management Comments\n\x0cWashington Headquarters Services Comments\n\n\n                      OFFICE     OF THE SECRETARY                 OF DEFENSE\n                                 1SSO DEFENSE PENTAGON\n                                WASHINGTON. DC 20301-I SSO\n\n\n\n                                                                     13 1:_    .:;:r\n\n\n\n\n      MEMORANDUM          FOR DIRECTOR, ACQUISII-ION MAh\xe2\x80\x99AGEMEBT\n                              DEPARTMENT OF DEFENSE INSPECTOR GENERAL\n\n      SUBJECT: Audit Rcpt on idodon      Assumme for the Dcfhc              Civilian Personnel\n               Data System - Wastdngton Headqumters services\n               (Pruject No. 7FiE-300643)\n\n\n\n\n              IssuesraisdinthedraftAuditrrpoRwhichdonotdirectly~lyloWashington\n      Hadqumta        Sewices have not ken addressed. Specifically. no nxponse has beam msie\n      to plogmm maMgemcrit acensr&ingtothcDoDCivilianPcrsomm                   1 hhmagunent\n      Service or the U.S. Air Force Personnel Center.\n\n              1iaFprcciatetheoppomuritytorcviwand        commultonyollrdraftrqortofttlc\n      audit and your consi-          of my remarks in the puMicati0n of your fiaal qort\n      Questions should be dii        to Mr. A. L. Papent%. (703) 697-l 703, Ms. Linda\n      Dunlawy, (703) 617-7112 or Mr. John Dowwy, (703) 617-7113.\n\n\n\n\n                                                    D. 0. Cooke\n                                                    Director\n\n\n\n\n                                                  34\n\x0c                                   Washington Headquarters Services Comments\n\n\n                                                                                Final Report\n                                                                                 Reference\n\n\n\n\nFtmdings:\n\n      THS possesm a soxrily policy, sccurily plau, and conTingency\n                                                                 plan and has\nsystemeccessawl physicalsecuritycatrols in place. Howe& WHS needs to improve\ninfixmation msumncc for DCPDS tnxause it did not have the required hfonnati~n\niWSW?UlCCcmrtmlShpllcetOdOthC~~:\n\n\n       a ~arisL~y~foritswgwirationtoidcntifyanddcfineownl1\n\nsystem threats and vdnuabilhies as rcqukd by DODDive       5200.28, \xe2\x80\x98%%\xe2\x80\x98ity\nReq _&neat. for A&mated laf&rmationSystcins (A@), u Merch 2191988 clbe\nDilWtiV+,\n        b. completeasystanstcstaraieva!uation,or\n\n                                                                                Revised\n\n\n      a. caneur-ARisk~~fortbeWHSRegionalServiceCmta(RSC)~\nconducted 1 October 1997, aud a copy providedto Ms. Dorothy Dixon, Audit Team\nL&a, 3 1 DMant!cr 1997. Item complete, no errtba action required.\n      b. Concur -A systans test and evaluation on the WHS RSC infomution\nte&io~o~ m            will be compked by the end of the 3\xe2\x80\x9d1quarta. W 98.\n\n        c. NonwMlr-\n\n\n\n\n                                                   35\n\x0cWashington Headquarters Services Comments\n\n\n\n\n           a. \xe2\x80\x9c!kurityPhn\xe2\x80\x9d(Page8ofthehditRq1ort)\n\n\n           ...\xe2\x80\x9cA&ougb the On-Site kpcction Agency\xe2\x80\x99s saznity policy stated that a system\n           saxuityphwillbe&ardmaiuhkdfor111~irlf~syrtems.\n           inhding networka pnwssing chsifmd of t                          infontutio~ it did\n           aotprovideaaxnpietedwcuritypian     Withadauestabli&cdsehtyplan,theOn-Site\n                                   assmawtbntithllsdcvelopedrsmucgyfor~emaIting\n                       -W?ltdSdAlUdhOdObgy                fO~~$CCti~requirrments\xe2\x80\x9d\n\n\n\n\n                                                           36\n\x0c                                  Washington Headquarters Services Comments\n\n\n                                                                                        Final Report\n                                                                                         Reference\n\n\n\n\n       WHScan neitba concur ttor nonconcur with this finding. As rimedabove.no\ncommead~controlmlatioPrhpexins~theWHSRSClod~beUs.                         E8ch\nCustomer Suppod Unit is rapoasible for ampking ib own securityplan, &ty\npolicy.conringcllcy~wdsystem~~~Md~ta~iskanrlysismd\nsystans tut and cvahation fortheirown IT enviromnenk3.\n       As noted011page5, in the sectior~of your DRAFT Audit &port outlii\nx;Miics          for\n                  .\n                     DCPDS hformah Assurance\xe2\x80\x9d, \xe2\x80\x9cRSC Rapomibititk The\n           ~ittown&~~israpollsibleforinstitutingitrowatecurity\npmtection rn&attisms and pmcedmw as well as for impicmcnliagtfieminimum security\nrcquiruna#s teded for systems to be secure in acuxhce with DODregulations. To\nmeet minimum sea&y requimmcn~ WHS must xxxcdit its automated it&m&ion\nsystem. AnaccndirationLthcapprovlrl~oeina~~~~modcuoing\n                                acu&itationpmcessi6paformingariskamdysisof\n                              toestablistlaneqK!cttdlossBomccrtain&vultsbascd\n                          occumnce.\xe2\x80\x9d Asnotedabove,aRiskAnalysisfortheWHS\n                              . sy!mlaaxtlitypkmsandpolicydocumentswcre\nsubmit&d to the WHS DAA. We have recently been vahlly informed that our interim\naccreditation was made wt.\n        As noted on page 6. in the section of your drafl Audit Report outlining\n\xe2\x80\x9cRcsponsibiliti+ hr DCPDS Infotmation Assurance\xe2\x80\x9d, ucsuRuponriMutik              The\ncSUsystcmsarchi~consistsprimarilyofPdcsJI1oppQBoI1oJ~that\npmceses suuitiveht-unclassified data To achieve appqrh            musur~ against that\n~vulnarbilities,achCSUir~luibleforeo~arisLrnrlyPisto~\nmost risks and threats associated with each workstation tbat pnxzsscs pcrsotmel data\xe2\x80\x9d\n\n        In conclusion, each CSU is rcqxmsible to their DAA for akaining approval to\noperate. Thcfadt&DCPDSclicntsoftwarchasbeenhmducedintothcCSUM\xe2\x80\x99\nmvironmentsshouldtri~theCS~sIImanrgatoeolductancwri*~ypis~\nobtain~updmedappt~valhmtheir~veDAA.                     SimxWHShasnorelrtiotxbip\nwithrhecsUcommands~,othertbsninprovidinghumannsouree~\n~WHSisinnaposition~oetherisloorthnatsimporsdbytheintroduaion\nof tht PPI client software on the CSU IT infrsshuctare. Additionally. no authody\namen@ exists for WHS to coadti 813indeptnacnt risk anaJysh of any of its cwtomei\xe2\x80\x99\nwurMatiam3 or other IT componems. Recommend your 0Uii 8ddmss this issue directly\nto OSLA.\nb. QeqalcyPlM\xe2\x80\x9d(P&ge9oftbcAIaditRq!ort)\n                                                                                        Page 8\n-:\n       \xe2\x80\x9cIke Joint Staffarxl the On-Site Jnspahm Agency did not provide contingency\nph%*\n\n\n\n\n                                                   37\n\x0cWashington Headquarters Services Comments\n\n\n\n\n                   Partinllyconcur.Ai&kAnalysisfortheWHSRSCvmscandWcd1Octobcr\n            1997,~acopypDovidedtoMsDorothyDixon,AuditTermLeda,31.De4ankr\n            1997. Additiomliy, Mr Dixonwu fumiskd a copy of the opentionsl Cut&&m\n            lcoaforthewHSRsCpravidccibytheDcpDSAcqui3ition~~~on                   14\n            Nomhe.r1997. Stanannplctc,nofhthcractionrqdrcd.\n                   wHscannotcxmcurwr~ncurwith~faaff;es           toliska.uldyscsbeing\n            conductcdforxnyCSusot!utbxllwHs.      (TtIcRiskAn8lysismdxccruii~tithe\n            WHSCSUisincludedwiththatofthcWHSRSC.) Hovmu,rrsitpeMnstotbeotber\n            suppoedcurtomasllpportunitsandxsnotcdabovc,no ummlmxlxndcontrol\n            mlation&ipexktsbetweu~theWHSRSCxndthoseCSUs. EhCSUismqonsiblefor\n            completingits own wzurity ph. sccmitypolicy, amtingacy plaq syswm xareditation\n            andtocondudarisk~ysismdsystemstestandevawtionfortbcuownIT\n            ulviroammtz\n\n\n\n            Syntem Security      and Evduntion(Pyr IOoftbc AuditRep&)\n                              Test\n            Pmdingsz\n\n                   \xe2\x80\x9cWHS andits CSUs providedno evidencethatthey conducted\xe2\x80\x98Ptest and\n            evaluationof the.sfzculityof the system.\xe2\x80\x9d\n\n\n\n\n                                                          38\n\x0c                              Washington Headquarters Services Comments\n\n\n                                                                             Final Report\n                                                                              Reference\n\n\n\n\n      Patiellyconcur. Asysten~testandevehetionoatheWHSRSCandtheWHS\ncsu informationtechnologyi-          will be completedby ale cad of the 3*\nqupta.Fy98.\n       AsprcviousIystated#wHSwnneit&rJconaKnortlotwaclKwithreferenccsto\nriske&wcsbeitlgcutu3uctedformtyCSUsothertblmwHs. (T%cRiskAMlysisaad\nwzditetion tar the WHS CSU b W&d with thatof the WHS RN!.) Howwar, at it\npatqinstotbeotha~cSUsmdar~~above,nocommmdandco~l\nrchombipexistsbetweatheWHSRSCendthoseCSUs.          EacbCSUismponsibIefor\noompletingitrown~typ~seMitypolicy,~plm.rystem~~n\naodtocoaductaritanalysismdsystansteslImdtvaluationforthcirownIT\nen-.\n\n                                                                             Page 10\n\n\n\n\nConcurtitbtbisfidingasitnhtestoWHS.      Aspteviouslynoted,bowwerrfitd\neccreditethbasbeenverbellymceivedbytheDAA. Fmtbcr,esindhtulabove,\nperceiveddeficiehes with eny CSUs shouldbe eddmsxd toepeItiUlhClLS@mer\nSqporILhtk\n\n\n\n\nFindings:\n\n\xe2\x80\x9c...Akbougb security\n                 awalutes sb&?fmgsfornewususwerecotId~~ty\nmauagementpetsonnetend WIE of tbe DCPDSet WHS have not receivedperjodic\n\n\n\n\n                                              39\n\x0c               Wash&ton Headquarters Services Comments\n\n\nFinal Report\n Reference\n\n\n\n\n                          almd~prOgrSminc4mlputuSaamity-                          hSlidllOtbCClldCVCl0pCd\n                          bccaue  of otha higher priority job ass&mu& and ins&&i& time avnilable for\n                          dcvhphg    such a ppponm. For example, Mail recently, tIm mutine job rqonsibilitics\n                          Of~IInforma~S~Secprity               Oacaindudsdwritiageontnd~Of\n\n\n\n\n                                  Noxoncm.    Altbo@thcIz&mdonSysttmr~~~huattLer\n                          mspcmsibiiitksassignedtohim,thedutLesdidnotpmcludebisdmlopiagand\n                          implcmmtingaviablswmputu#cmityrwuareor            ~xogmm. hootaiintbcaudit\n                          repon=+ty       awalwdsbri~fornewuaersorc-                    upontkircnrmnceon\n                          duty. A&Wmauy,c4chanployc!eofthewHS-for-andSecaltity\n                          rcceivesulrnnvlupd8tebri&gaadtbt!setxi&ngs~~tedbytbcInfo~ation\n                          SystcmsSeaxityOf&r.\n\n                                  hadditic0toinitialcxanpWsccwity~                tminingbeingprovidedtoal1\n                          DP&S employees, W?IS pssolmcl also provide sccuity a-             lJfk%gSUprrtOf\n                          thetrai&gpmvidaitonewusasoftbeDCPDSPPIsni@.                Uaertminingandsecwity\n                          briefings are a pxwq&itetorazeivingvaliduserlogonsandpasswo&toaccessthcPPI\n                          SUitC.\n\n\n\n  Page 11\n                          NOtApphbktOWHS\n\n\n\n\n                                                                             40\n\x0c                                      Washington Headquarters Services Comments\n\n                                                                                       Final Report\n                                                                                        Reference\n\n\n\n\n                                                                                       Page 13\nlkdiugc\n\n\xe2\x80\x9c1. we recommd that the Dileuor for Personnel and Swlity. washingtoa\nHexlquartcrs Services, direct the appropriate sexrity puwncl at WHS to:\n       a conduct a risk analyrrisfor its organization td identify and define overall\nsystanthrcatsandvulnunbiics.\n          b. conduct a systems security test and cvahation.\n\n       c. ensuretbat its customer support units compk a security plaq contingency      Revised\nphn, and system acc~itation and conduct a risk analysis and systems test and\nevaluation.\n\n\n\n\n       b. Concur - A systems test ~JWJ\n                                     evahtion on the WHS RSC information\ntechoology infkbWuv will be completedby the end of the 3\xe2\x80\x9d quarter, FY 98.\n       c. Nonconcur-\n\n               (1) No command and eomtrolrelationship exists bctwcn the w\xe2\x80\x99HS RX\naadtheCSUs. EacbCutomcz Support Unit is responsible for completing its own\nSaxrity pkn. security policy, cuntiqau2y plan and system accreditation and conduct a\nIi& analysis and systems test and cvaluntion.\n\n\n\n\n                                                       41\n\x0cWashington Headquarters Services Comments\n\n\n\n\n                                        42\n\x0c,Department of the Air Force Comments\n\n\n\n\n      MEMORANDUM        FOR ASSISTANT INSPECTOR GENERAL FOR AUDITING\n                            OFFICE OF THE INSPECd  GENERAL\n                            DEPARTMBNT OF DEFENSE\n\n      FROM: HQ AFCIUSYNI\n            1250 Air Force Pentagon\n            Washington, DC 2033&1250\n\n      SW         InformatiwAsmanccfortkDefenscCivilianPammelDataSyStm-\n                 Wuhhgton Hcadquar~as Suviccs (Project No. 7RE-3006.03)\n\n\n\n\n             If you have ally qu@ions or need fultha assdmcc pkaac uxltaa Ms. McIinrl8 Palmer,\n      (703)58%6167. AFCICJSYNI, or Major Mmh          (703)614-2478, AF/DPCX.\n\n\n\n\n      Cc:\n      AFCICnTAl\n      AFCIC/SYSS\n      AF/DPCx\n      SAFiFTvfPF\n\n\n\n\n                                                            43\n\x0cDepartment of the Air Force Comments\n\n\n\n\n                                  DEPARTMENT OF THE AIR FORCE\n                                  HEAW1)*RTERSUNITED STATES AIR FORCE\n                                             WASHINGTON,     DC\n\n\n\n\n                                                                                     37yQi\n          MEMORANDUM FOR AFCIUITAI\n          FROM: AFtDPCX\n          SUBJECT: DoDlG DmfI Rcpa, hfornution Amraw       for the Dcfcw Civilian Pmoancl\n                   Data System- Wcuhington Hcadquaters Services\n\n\n\n\n                Ifyouhavcanyqwtiworwedfrntherassinancc            please conIact Mqi M&       703-\n          6142478 or amoil nhwauk@dp.hq.ti&.\n\n\n\n\n                                                           Chief, Plans and Raqrrirrmeots Division\n                                                           Dircctolarc of Civilian Pasonnel Policy\n                                                           and Personnel PIaus\n\n\n\n          Acquisition Program Managemad Rcspmse\n          cc:\n          SAFIFMPF\n          AFClUSYSS\n\n\n\n\n                                                    44\n\x0c                                     Department of the Air Force Comments\n\n\n                                                                            Final Report\n                                                                             Reference\n\n\n\n\n            Acquisition Program Manager Msnrgcmcat Respopsc\n                          to a Dmf: Audit Report on\n    Information Assutmce of the Defense Civilian Personnel Data Syrtcm\n                      Wcsbington Badquarters Ssrviw,\n                           Pro]& No. 7RE-3006.03,\n                          Dated Deeember 17,1997.\n\n\n\n\nSectioa I: Draft Audit Report Findings:\n\n\n\n                                                                             Revised\n\n\n\n\n                                      45\n\x0cDepartment of the Air   Force   Comments\n\n\n\n\n                                           46\n\x0cDepartment   of the Air Force Comments\n\n                                         Final Report\n                                          Reference\n\n\n\n\n                                         Revised\n                                         Page 11\n\x0c               Department of the Air Force Comments\n\n\nFinal Report\n Reference\n\n\n\n\n  Page 12\n\n\n\n\n                         Soctioa II Rccommcndatioo   for Corroctivc   Action\n\n\n\n\n                                                               48\n\x0c                                    Department of the Air Force Comments\n\n\n                                                                           Final Report\n                                                                            Reference\n\n\n\n\nSfction III Matchal Managcntent Core01   Woak~ess\n\n\n\n\n                                                                           Page 19\n\n\n\n\n                                                                           Page 19\n\n\n\n\n                                   49\n\x0cCivilian Personnel Management Service Comments\n\n\n\n                                         DEPARTMENT       OF DEFENSE\n                              C,\xe2\x80\x9c,L,AN     PLRSONNLL    MANAGEMENT       SERWCE\n                                              1400 KM   SOULEVAUQ\n                                           ARLINGTON.   VA ZZZOS-SlU\n\n\n\n\n     MEMORANDUM FOR DIRECTOR, READINESS AND OPERATIONAL SUPPORT\n                      DIRF%YORATE, DEPARTMENT OF DEFENSE INSPECTOR\n                      GENERAL\n\n\n     SUBJECTZ PrqxGed Audit REpm M lnfolm2tion Assurance                 for the Defense Civilian Personnel\n              Data System - Washington Hcadquatters Scnks                @ojcct No. 7RE-3006.03)\n\n\n         This mcmorartdum     constitutes the functional proponent\xe2\x80\x99s     rcsponsc to   theProposed Audit\n\n     Rcpxt   on hformation   Assurance     for the Defense Civilian   h%omel   Data System - Washington\n\n     Headquarters   Services dated December      17.1997 (Project No. 7RE-3006-03).       The attached\n\n     document responds to the applicable findings, identifies our concerns, and explains the revisions\n\n     we believe arc necessary so that the final report will accurately    n$kzt Defense Civilian\n\n     Personnel Data System progr8m information.         We appreciate the opportunity    to comment.\n\n\n\n\n                                                La-)* c*\n                                                   Earl T. Payne\n                                                      Director\n\n\n     Attacbmcnt:\n     As stated\n\n\n\n\n                                                                   50\n\x0c                                Civilian Personnel Management Service Comments\n\n\n                                                                                                   Final Report\n                                                                                                    Reference\n\n\n\n\n                  M      Propuaed Audit Report on Information a\n                 fur the Defense f%ilian PeraoMel Data system mcPDsJ=\n                             Washington Headq-      Servim\n                              DoDIG Pmject No. 7RE3006.03\n\n\nExBcuTIvRsuMMARY\n\nIntruduction (page I). \xe2\x80\x98+Thisreport is the third of four reports in our ongoing review of the      Revised\nDefense Civilian Personnel Data System. The Defense Civilii Pemoanel Data System is an\nautomated infotmation system that will process sensitive-but-rmdasaifted information for at kasl\n7SO.ooODefense civilian personnel records at 23 regional personnel senkmg centers and\napproximately 300 customer suppott units. The Defense agencies will establish four of the 23\nnzgional personnel servicing centem. The Washington He-               Services wili serve as\nmanager of the NaticutalCapitol Region Human Resources Services Catter. Initially, the\nWashington Headquartezs !kvices will process ap~roximatcly 10,000 pc\xe2\x80\x99so\xe2\x80\x9d\xe2\x80\x9ccI records at seven\ncustomer support units.\xe2\x80\x9d\n\nResume:     The pmposcd lmguagc may confuse readerssince it does not distinguish between\nthe legacy Defense Civilian ~DataSystem(DCPDS)andthem&ruDCPDSstillunder\ndevelopment. To avoid confusion we ask that you substitute the following language:\n\n     mis report is the third of four reports iu our ongoing review of the Defense Civilian\nPersonnel Data System. The DCPDS currently in operation is a legacy automated information\nsystem that ptccessea sensitive-but-unclassified information for approximately 750.000 DOD\ncivilian peason& mcortls. The DepYmvnt of Defense is modemixing the DCPDS as it\nrcgionaliz.es the delivery of civilian pcrsonncl service into 22 Regional Savice Cutters (RSCs)\nand approximately 300 Customer Support Units (CSUs). The modern DCPDS is schedukd to\nreplace the legacy system by the time mgionalixation is completed in PY 1999. The Washington\nHeadquarters Services National Capital Region, Human Reaounxs SeXvicecenter (HRSC), will\nserve as one of the four Defense agency RSCs. The Washington Headquarters Services HRSC\nserves seven CSUs. processing approximately 10,000 personnel records using-&e legacy\nDefense Civilian Persom~l Data Systerz~\xe2\x80\x9d\n\nAUDIT BACKGROUND\n\nDererKe CiVUi &raoMel Data System @age 2). The Assistant kretary of Defense                        Revised\n(Command, Control, Communications. and Intelligence) designated the Defense Civilian\nPersonnel Data System (DCPDS) as an interim standard system in an April 22.1991,\nmemorandum. The memorandum designated the Secretary of the Air Porte as the executive\nagent for the DCPDS. The DCPDS program exists to provide a seamkss automated information\nsystem that will provide support for personnel policy actions and personnel decisions during\npeacetime, contingencies. and wartime. The DCPDS will support all DODComponcn~r\nworldwide and will be used by pelso~el officials, employees, managen. and senior leadership\nat all Icvcis of DODoperations throughout the world. DCPDS is cnvisioncd to enable one\n\n\n\n\n                                              51\n\x0cCivilian Personnel Management Service Comments\n\n\n\n\n         pnonael specialist to pmvide paaonnel services to abut 100 civilisn pasonnel. DCPDS is\n         also envisional to eliminate duplicative DODComponent aod Defense agency personnel system\n         costs and to reduce maintenance CMts for mainframe computexs. The cu!TeJItoperational\n         DCPDS qports the Mlitazy apmtment aud Defense agencies and conaim of DCPDS\n         soRMnapplicationscalkdpenotmelprocessimprwnmnu.                   Tbepenannelprocess\n         impmvanents ate ao imporwt clement in migrating to the modem system. The personnel\n         process improvements application progmms provide electronic mcaus to generate. route, and\n         prcccss personae1 actions: create aud classify positions; initiate, route, and sack training\n         requests; and access current pusonncl database and associated data from other functional areas.\n         The DCPDS interim system is designed to improve and enhance puxonnel staffs during tbc DOD\n         transition to a downsized workfcaxzc.\n\n         w            TheproposcdlongurgemryconfustMdersshrceitdasnadistiaguirhbetween\n         thekgacyDCPMandtbeum&rnDCPDSstiilunderdevelopmmt.                     Toavoidconfusionweask\n         that you sutxtitule the following Iaaguage which describes the uaosition of the legacy DCPDS\n         since it was designated as an interim s&ndard system and clarifies the distinctian betweca the\n         legacyDCPDSaadthe-DBDS.\n\n          \xe2\x80\x9cIbe Assistant &craaty of Defense (Cornman& Control, Communications, and Intelligence)\n         desi~edtbc~~~siinterimstandudsyrecminanApril22,199l,wmwtadum.                        The\n         memomndum designated the Saxetary of the Air Force as the executive agent for the DCPDS.\n         At that time, JXPDS consisted of a core system, the Air Fozadeveloprd Persoanel Data\n         System-Civilian (PDSC), plus distinct Army and Navy vusicms of PDSC. Since 1991. tbc\n         Deputment has traasitioned the Military Dqttmenu and most D&use agencies to a standard\n         DCPDS.\n\n\n\n\n         TheDeparhnentisnowinthepnxzssof&v&pingamcdunDCPDS.                     Thefunctionalityofthe\n         PPI Suite will bc included in the modem DCPDS. The modem DCPDS will ptwirk a seamless\n         automated infonnatiun system that will suppon pxsonael policy actions md personnef de&bus\n         during peacetime. contingulcies, and WartinE. The modem DCPDS will suppat Components\n         worldwide. Personnel officials, employees. managers, and senior ladcrsbip at all levels of the\n         Deputment will use it. The m&m DCPDS will also eliminate the need for duplicative\n         Componax headquarters petsotmcl systems reduce maintenance costs for mainframe\n         computers.\xe2\x80\x9d\n\n\n\n\n                                                       52\n\x0c                                 Civilian Personnel Management Service Comments\n\n\n                                                                                                      Final Report\n                                                                                                       Reference\n\n\n\n\n                                                                                                      Pages 4,\n                                                    \xe2\x80\x9cAdditionally, the DCPDS ftmctionai and           11, & 12\nacquisition program managers did not coordinate with WHS about their respective security\nmanagement roles and msponsibilities for the DCPDS information assurance prognun.\xe2\x80\x9d\n\nw:         Nonconcur.\n\nThe legacy DCPDS was designed, developed, aud impkmented as an Air Force petsonnet\nsystem in the mid 1970s. When the ASD (Uf) designated tk legacy DCPDS as the interim\nstandard system in 1991. the ftmctiotud program managers left tba existing security management\nroles, responsibilities, and processes in place.\n\nAPPC has coordinated with the Components concerning the security management roles and\nresponsibilities for the interim DCPDS. APPC also provided system administrator training and\nmanuals to the Components that cover practices and proccdums for gmnting access to the interim\nsystem. On Pebtuary 12.1997. APPC provided Component systems administrators a software\nrelease annomxement for PPI Version 4.4 of the interim system. This release implemented the\nfirst scripts to configure sewers and workstations in accordance with the established security\npolicy. APPC provided another r&ax announcement for the PPI Version 5.0 in June 1997.\nThis announcement described tk scripts and actions requited 10operate the system audit log\nfeature.\n\nCPM& as the functional proponmt for the DCPDS Modcrnizption Program, is responsible for\ninsuring controls arc in place to safeguard civilian pemomxl records in the modern DCPDS.\nR&y.       CPMS published a coordinated modem DCPDS policy and security support plan.\nThese documents clearly dcfinc ttu mspcctive security managerrunt roles and mspunsibilities for\nthe modern DCPDS. In addition, CPMS is in the final process of identifying the organizational\ncomponent, which will serve as the modem DCPDS Designated Appmving Authority (DAA).\nThe modem DCPDS DAA will appoint a certification official who will oversee the Certification\nand Accreditation (C&A) prccess, and approve the level of risk for the modarn DCPDS. The\nmodern DCPDS DM will oversee the dcvclopmcnt of the C&A package. The C&A package\nwill describe the objectives, msponsibilities, schedule, technical monitoring, and other activities\nin support of the C&A process.\n\nCoordimxtion with DOD Comwnarts (mute 12 and 13). \xe2\x80\x98Specifically. tha DCPDS functional\nand xquisition program managers did not provide any training requirements for designated              Pages ll&\nsecurity personnel such as the Information Systems Sccurhy Manager, the Information Systems           12\nSecurity Officer, the Network -or,           and the Systems Administrator for the DCPDS.\xe2\x80\x9d\n\nResponse: Concur.\n\nThe legacy and interim DCPDS operate under existing computer security program mguhttions\nand guidelines. CPMS has not provided training requirements for designated security personnel\nusing the legacy and interim DCPDS. In this environment. Components are msponsible for\ncsrablishing their own security training requirements based on the& specific regulations and\ndirectives.\n\n\n\n\n                                               53\n\x0cCivilian Personnel Management Service Comments\n\n\n\n\n         The modem DCPDS Computer Security Working Group (CSWG). cbaitzd by CF%l!3,will\n         develop a security annex for the mcdun DCPDS Training Supptut Plan. Tbc annex will idartify\n         training rcq uircnxnts for security person&. including the Information Systems hhnagcr, tbe\n         Information Systems Security OEicer, the Network Administrator, and the Systems\n         Adminisnator for tbc modem DCPDS.\n\n         Under the Regionalization Prognun. the modern DCPDS will optra3c in a sandard opeating\n         cnvhnmcnl of servers, w-               pcriPhcr&. and commurticatiottS networks for civilian\n         pcrsotme~operatiotts tbrougbout DOD. A elational dat&ase will link to the client-server\n         network located at Regional service Centers and Customct Support Units. The interim DCPDS\n         is curtcntly deployed in this opcmting cnvimnmcnt. Therefore. tbc DCPDS Training Support\n         Plan Security Annex will apply to the interim DCPDS.\n\n\n\n\n                                                     54\n\x0cAudit Team Members\n\nThe Acquisition Management Directorate, Office of the Assistant Inspector\nGeneral for Auditing, DOD, produced this report.\n\nThomas F. Gimble\nMary Lu Ugone\nCecelia A. Miggins\nDorothy L. Dixon\nKathleen Fitzpatrick\nMichael T. Carlson\nBernice M. Lewis\n\x0c\x0c'